Password Policy/App rename/PM Scheduling Improvements

This commit is contained in:
2026-06-06 02:32:47 -05:00
parent dfd999b6a9
commit f024286b5e
59 changed files with 3814 additions and 299 deletions

View File

@@ -4,11 +4,15 @@ const { all, audit, now, one, run } = require('../db');
const { requireCapability } = require('../middleware/auth');
const { CAPABILITIES } = require('../services/accessControl');
const { createRole, deleteRole, listRoles, roleExists, updateRole } = require('../services/roles');
const passwordPolicy = require('../services/passwordPolicy');
const auditTrail = require('../services/auditTrail');
const router = express.Router();
const userSelect = `
SELECT u.id, u.team_id, t.name AS team_name, u.name, u.email, u.role, u.status, u.created_at, u.updated_at
SELECT u.id, u.team_id, t.name AS team_name, u.name, u.email, u.role, u.status,
u.last_login_at, u.locked_until, u.must_change_password, u.password_changed_at,
u.created_at, u.updated_at
FROM users u
LEFT JOIN teams t ON t.id = u.team_id
`;
@@ -47,20 +51,32 @@ router.get('/users', requireCapability('admin.users'), (req, res) => {
router.post('/users', requireCapability('admin.users'), (req, res) => {
validateRole(req.body.role || 'viewer');
if (req.body.status && !['active', 'inactive'].includes(req.body.status)) return res.status(400).json({ error: 'Invalid status' });
// An admin-supplied password must satisfy the policy. When none is given we issue a temporary
// password and force a change at first login (so a throwaway temp isn't policy-checked).
const supplied = req.body.password;
if (supplied) passwordPolicy.validatePassword(supplied, { name: req.body.name, email: req.body.email });
const rawPassword = supplied || 'ChangeMe123!';
const mustChange = req.body.must_change_password || !supplied ? 1 : 0;
const created = now();
const hash = bcrypt.hashSync(rawPassword, 12);
const result = run(
'INSERT INTO users (team_id, name, email, password_hash, role, status, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
'INSERT INTO users (team_id, name, email, password_hash, role, status, password_changed_at, must_change_password, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
[
req.body.team_id || one('SELECT id FROM teams ORDER BY id LIMIT 1')?.id,
req.body.name,
req.body.email,
bcrypt.hashSync(req.body.password || 'ChangeMe123!', 12),
hash,
req.body.role || 'viewer',
req.body.status || 'active',
created,
mustChange,
created,
created
]
);
passwordPolicy.recordPassword(result.lastInsertRowid, hash);
audit(req.user.id, 'create', 'user', result.lastInsertRowid, null, { ...req.body, password: '[redacted]' });
res.status(201).json({ user: publicAdminUser(result.lastInsertRowid) });
});
@@ -79,6 +95,19 @@ router.put('/users/:id', requireCapability('admin.users'), (req, res) => {
return res.status(400).json({ error: 'At least one active admin is required' });
}
// Validate before any write so a rejected password leaves the row untouched.
if (req.body.password) {
passwordPolicy.validatePassword(req.body.password, {
id: Number(req.params.id),
name: req.body.name || before.name,
email: req.body.email || before.email
});
}
const nextMustChange = req.body.must_change_password !== undefined
? (req.body.must_change_password ? 1 : 0)
: before.must_change_password;
const updated = now();
run(
`UPDATE users SET
@@ -87,6 +116,7 @@ router.put('/users/:id', requireCapability('admin.users'), (req, res) => {
email = ?,
role = ?,
status = ?,
must_change_password = ?,
updated_at = ?
WHERE id = ?`,
[
@@ -95,17 +125,24 @@ router.put('/users/:id', requireCapability('admin.users'), (req, res) => {
req.body.email || before.email,
nextRole,
nextStatus,
nextMustChange,
updated,
req.params.id
]
);
if (req.body.password) {
run('UPDATE users SET password_hash = ?, updated_at = ? WHERE id = ?', [
bcrypt.hashSync(req.body.password, 12),
const hash = bcrypt.hashSync(req.body.password, 12);
// Admin-set password forces a change at next login unless explicitly cleared.
const forceChange = req.body.must_change_password === false ? 0 : 1;
run('UPDATE users SET password_hash = ?, password_changed_at = ?, must_change_password = ?, updated_at = ? WHERE id = ?', [
hash,
updated,
forceChange,
updated,
req.params.id
]);
passwordPolicy.recordPassword(req.params.id, hash);
}
const user = publicAdminUser(req.params.id);
@@ -181,4 +218,51 @@ router.delete('/roles/:key', requireCapability('admin.roles'), (req, res) => {
return res.status(204).end();
});
// ---- Account lockout --------------------------------------------------------
router.post('/users/:id/unlock', requireCapability('admin.users'), (req, res) => {
const user = publicAdminUser(req.params.id);
if (!user) return res.status(404).json({ error: 'User not found' });
passwordPolicy.unlock(req.params.id, req.user.id);
return res.json({ user: publicAdminUser(req.params.id) });
});
// ---- Password & lockout policy ----------------------------------------------
router.get('/password-policy', requireCapability('admin.security'), (req, res) => {
const policy = passwordPolicy.getPolicy();
res.json({ policy, rules: passwordPolicy.describe(policy) });
});
router.put('/password-policy', requireCapability('admin.security'), (req, res) => {
const policy = passwordPolicy.savePolicy(req.body.policy || req.body, req.user.id);
res.json({ policy, rules: passwordPolicy.describe(policy) });
});
// ---- Activity & audit trail -------------------------------------------------
function auditFilters(query) {
return {
actor: query.actor || null,
action: query.action || null,
entity_type: query.entity_type || null,
from: query.from || null,
to: query.to || null,
q: query.q || null
};
}
router.get('/audit-logs', requireCapability('admin.audit'), (req, res) => {
const result = auditTrail.query(auditFilters(req.query), { page: req.query.page, pageSize: req.query.pageSize });
res.json({ ...result, facets: auditTrail.facets() });
});
router.get('/audit-logs/export', requireCapability('admin.audit'), (req, res) => {
const rows = auditTrail.queryAll(auditFilters(req.query));
audit(req.user.id, 'export', 'audit_logs', 'csv', null, { count: rows.length, filters: auditFilters(req.query) });
res.setHeader('Content-Type', 'text/csv; charset=utf-8');
res.setHeader('Content-Disposition', `attachment; filename="audit-trail-${now().slice(0, 10)}.csv"`);
res.send(auditTrail.toCsv(rows));
});
module.exports = router;